Client Management
Create, update, clone, and delete OAuth2/OIDC and SAML clients. Manage resource servers (APIs) and their scopes.
Taco is an open-source management portal that sits in front of your OAuth2 authorization server. It gives teams a self-service UI to create and configure OAuth2/OIDC and SAML clients, while giving platform owners a policy-gated approval workflow before anything reaches production.
Client Management
Create, update, clone, and delete OAuth2/OIDC and SAML clients. Manage resource servers (APIs) and their scopes.
Multi-Provider
Connects to Ory Hydra, Auth0, Azure Entra ID, or any RFC 7592-compliant
authorization server. Switchable via OPENID_PROVIDER.
Multi-Tenant
Organizations and teams with role-based access: member, reviewer, org admin/owner, and instance admin.
Client Registration Workflow
Policy-gated approval with a human review queue, change sets for active clients, and pre-approved templates. Available on the Business plan.
Analytics
Aggregated client and user stats: counts by grant type, application type, and classification, plus active-user trends.
White-label Branding
Customize logo, colors, and domain. Available on the Business plan.
| Feature | Lite | Team | Business |
|---|---|---|---|
| Client management | ✅ | ✅ | ✅ |
| Organizations | ❌ | ✅ | ✅ |
| Onboarding wizard | ❌ | ✅ | ✅ |
| Analytics | ❌ | ✅ | ✅ |
| Teams | ❌ | ❌ | ✅ |
| White-label branding | ❌ | ❌ | ✅ |
| Client registration workflow | ❌ | ❌ | ✅ |
| Feature | Ory Hydra | Auth0 | Azure Entra ID | RFC 7592 |
|---|---|---|---|---|
| OAuth2/OIDC clients | ✅ | ✅ | ✅ | ✅ |
| SAML clients | ❌ | ❌ | ✅ | ❌ |
| Resource servers | ⚠️ Derived | ✅ Native | ❌ | ⚠️ Derived |
| Client cloning | ✅ | ✅ | ✅ | ⚠️ Provider-dependent |
Taco supports four provisioning backends. Pick the one you already run:
See the Providers section for setup instructions for each.
Set PLAN_TIER to lite, team, or business. See the plan comparison for feature differences.
Configure environment variables
At minimum, set:
BASE_URL=https://taco.example.comPLAN_TIER=liteBETTER_AUTH_SECRET=$(npm run auth:secret --silent)DATABASE_URL=pgsql://user:pass@host:5432/taco
EMAIL_FROM="Taco <noreply@example.com>"EMAIL_SERVER=smtps://user:pass@smtp.example.com
OPENID_PROVIDER=ory# ... provider-specific varsFull reference: Configuration.
Run Taco
docker run -d \ --env-file .env \ -p 3000:3000 \ ghcr.io/cerberauth/taco:lite-latestAccess the dashboard
Open BASE_URL in your browser. If SSO is not configured, you will be prompted to sign in with email/password. Create the first admin account on first run.